Hello,
On 10/23/06, Pierre <[EMAIL PROTECTED]> wrote:
Hello,
On 10/23/06, Ilia Alshanetsky <[EMAIL PROTECTED]> wrote:
>
> On 23-Oct-06, at 4:48 AM, Stefan Esser wrote:
>
> > Hi,
> >
> > I just wanted to remind you that PHP 5.2.0 will be released with
> > broken
> > and inconsistent input filtering.
> >
> > Right now _SERVER is only passed through the input filter for apache 1
> > SAPI. All other SAPIs do not pass _SERVER variables through the
> > filter.
> > This will be a major headache for people using ext/filter etc...
>
> In some SAPIs such as CLI it makes little sense to filter $_SERVER in
> majority of cases. As a whole I do not believe $_SERVER in its
> entirety needs to be filtered, given that at least 1/2 the data there
> is not based on user-input. My suggestion is that people use
> filter_var() function to filter components of the $_SERVER super-
> global that they are using.
>
> That said, in future release there are plans to extend support to
> Apache 2 and cgi/fcgi sapis as well as add handling for $_REQUEST.
Yes, and more generally as soon as we fix the leaks and the other
troubles we spoted recently. I still like to disable ENV/SERVER
support in 5.2.0 (just like _REQUEST), we can restore it later.
I just discussed with Ilia about this problem. 5.2.0 will be kept as
it is now, only the apache1 sapi will be supported. Other sapi will be
introduced for 5.2.1.
Ilia already have a patch for apache2 sapi support, it will be
commited in HEAD as soon as possible, other will follow.
Thanks for the head up,
--Pierre
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
